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1.An administrator has to configure LDAP authentication tor ZTNA HTTPS access 
proxy Which authentication scheme can the administrator apply 1? 

A. Basic 

B. Form-based 

C. Digest 

D. NTLM 

Answer: B 

Explanation: 

LDAP (Lightweight Directory Access Protocol) authentication for ZTNA (Zero Trust 
Network Access) HTTPS access proxy is effectively implemented using a Form- 
based authentication scheme. This approach allows for a secure, interactive, and 
user-friendly means of capturing credentials. Form-based authentication presents a 
web form to the user, enabling them to enter their credentials (username and 
password), which are then processed for authentication against the KDAP directory. 
This method is widely used for web-based applications, making it i&& suitable choice for 
HTTPS access Pa 

proxy setups in a ZTNA framework. av 

Reference: FortiGate Security 7.2 Study Guide, LDAP ayffientication configuration 
sections. a 
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2.FortiNAC has alarm mappings configured toi MDM compliance failure, and 
FortiClient EMS is added as a MDM conneétor. 

When an endpoint is quarantined by ForfiClient EMS, what action does FortiNAC 
perform? Fl 

A. The host is isolated in the Sdgfteton VLAN 

B. The host is marked at risk. « 

C. The host is forced to authefticate again 

D. The host is disabled e 

Answer: A x 

Explanation: È 

In the scenario wre FortiNAC has alarm mappings configured for MDM (Mobile 
Device Managément) compliance failure and FortiClient EMS (Endpoint Management 
System) is integrated as an MDM connector, the typical response when an endpoint 
is quarantined by FortiClient EMS is to isolate the host in the registration VLAN. This 
action is consistent with FortiNAC's approach to network access control, focusing on 
ensuring network security and compliance. By moving the non-compliant or 
quarantined host to a registration VLAN, FortiNAC effectively segregates it from the 
rest of the network, mitigating potential risks while allowing for further investigation or 
remediation steps. 

Reference: FortiNAC documentation, MDM Compliance and Response Actions. 
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Based on the ZTNA logs provided, which statement is true? 
A. The Remote user ZTNA tag has matched the ZTNA rule 
B. An authentication scheme is configured 

C. The external IP for ZTNA server is 10 122 0 139. 

D. Traffic is allowed by firewall policy 1 

Answer: A ej 

Explanation: P 

Based on the ZTNA logs provided, the true statement is: rd 

A) The Remote user ZTNA tag has matched the ZTNA r E The log includes a user 
tag "ztna user" and a policy name "External Access PAZ", which suggests that the 
ZTNA tag for "Remote User" has successfully m the ZTNA rule defined in the 
policy to allow access. 

The other options are not supported by the niani in the log: 

B) An authentication scheme is configured: Phe log does not provide details about an 
authentication scheme. ef 

C) The external IP for ZTNA server is $0. 122.0.139: The log entry indicates 
"dstip=10.122.0.139" which suggesis" that this is the destination IP address for the 
traffic, not necessarily the external IP of the ZTNA server. 

D) Traffic is allowed by firew bolicy 1: The log entry "policyid=1" indicates that the 
traffic is matched to firewall'policy ID 1, but it does not explicitly state that the traffic is 
allowed; although the t rd "action- -accept" suggests that the action taken by the 
policy is to allow the whific, the answer option D could be considered correct as well. 
Reference: Interpretation of FortiGate ZTNA Log Files. 

Analyzing Traffie Logs for Zero Trust Network Access. 
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Which port group membership should you enable on FortiNAC to isolate rogue 
hosts'? 7 

A. Forced Authentication S 

B. Forced Registration Roy 

C. Forced Remediation d 

D. Reset Forced Registration d 
Answer: C e 
Explanation: AY. 
In FortiNAC, to isolate raglue hosts, you should enable the: 

C) Forced Remediatigh: ‘This port group membership is used to isolate hosts that 


have been determined to be non-compliant or potentially harmful. It enforces a 


remediation progéss on the devices in this group, often by placing them in a separate 


VLAN or network segment where they have limited or no access to the rest of the 
network until they are remediated. 

The other options are not specifically designed for isolating rogue hosts: 

A) Forced Authentication: This is used to require devices to authenticate before 
gaining network access. 

B) Forced Registration: This group is used to ensure that all devices are registered 
before they are allowed on the network. 


D) Reset Forced Registration: This is used to reset the registration status of devices, 


not to isolate them. 
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Host Name $ Host Status IP Address > Physical Address > 
- 10.1.502 00:0C:29:6B:9A:4E 
ni Ww 10.1.104.101 00:0C:29:0D:86:A5 
2 )0:0C:29-7B:43:94 


Which statement is true about the hr endpoint? 
A. The endpoint is a rogue device 

B. The endpoint is disabled 

C. The endpoint is unauthenticated 9 
D. The endpoint has been marked at risk P. 
Answer: D e 
Explanation: KA 
Based on the exhibit showing the status of the hr endpginit, the true statement about 
this endpoint is: Pi 

D) The endpoint has been marked at risk: The "w'sflext to the host status for the 'hr' 
endpoint typically denotes a warning, indicatingthat the system has marked it as at 
risk due to some security policy violations or;óther concerns that need to be 
addressed. "x 

The other options do not align with thegsrovided symbol "w" in the context of 
FortiNAC: d 

A) The endpoint is a rogue device? If the endpoint were rogue, we might expect a 
different symbol, often indicatiag a Critical status or alarm. 

B) The endpoint is disabled?A disabled status is typically indicated by a different icon 
or status indicator. Pd 

C) The endpoint is unduthenticated: An unauthenticated status would also be 
represented by a different symbol or status indication, not a "w". 

e 
6.Which two statements are true regarding certificate-based authentication for ZTNA 
deployment? (Choose two.) 

A. FortiGate signs the client certificate submitted by FortiClient. 

B. The default action for empty certificates is block 

C. Certificate actions can be configured only on the FortiGate CLI 

D. Client certificate configuration is a mandatory component for ZTNA 

Answer: B, D 

Explanation: 

Certificate-based authentication is a method of verifying the identity of a device or 


user by using a digital certificate issued by a trusted authority. For ZTNA deployment, 
certificate-based authentication is used to ensure that only authorized devices and 
users can access the protected applications or resources. 

B) The default action for empty certificates is block. This is true because ZTNA 
requires both device and user verification before granting access. If a device does not 
have a valid certificate issued by the ZTNA CA, it will be blocked by the ZTNA 
gateway. This prevents unauthorized or compromised devices from accessing the 
network. 

D) Client certificate configuration is a mandatory component for ZTNA. This is true 
because ZTNA relies on client certificates to identify and authenticate devices. Client 
certificates are generated by the ZTNA CA and contain the device ID, ZTNA tags, and 
other information. Client certificates are distributed to devices by the ZTNA 
management server (such as EMS) and are used to establish a securesconnection 
with the ZTNA gateway. Pa 

A) FortiGate signs the client certificate submitted by FortiClient. Tis i is false because 
FortiGate does not sign the client certificates. The client certifipates are signed by the 
ZTNA CA, which is a separate entity from FortiGate. FortiGate only verifies the client 
certificates and performs certificate actions based on the ZTNA tags. 

C) Certificate actions can be configured only on the FertiGate CLI. This is false 
because certificate actions can be configured on both the FortiGate GUI and CLI. 
Certificate actions are the actions that FortiGate fakes based on the ZTNA tags in the 
client certificates. For example, FortiGate carrallow, block, or redirect traffic based on 
the ZTNA tags. S 

Reference: = 9 

1: Technical Tip: ZTNA for Corporaterhosts with SAML authentication and 
FortiAuthenticator as IDP S 

2: Zero Trust Network Access «Fortinet 


P 
7 Which one of the supported communication methods does FortiNAC use for initial 
device identificationsduring discovery? 
A. LLDP S 

o 
B. SNMP ^ 
C. API 
D. SSH 
Answer: B 
Explanation: 
FortiNAC uses a variety of methods to identify devices on the network, such as 
Vendor OUI, DHCP fingerprinting, and device profiling12. One of the supported 
communication methods that FortiNAC uses for initial device identification during 
discovery is SNMP (Simple Network Management Protocol)3. SNMP is a protocol that 
allows network devices to exchange information and monitor their status4. FortiNAC 
can use SNMP to read information from switches and routers, such as MAC 


addresses, IP addresses, VLANs, and port status3. SNMP can also be used to 
configure network devices and enforce policies4. 

Reference: 1: Identification | FortiNAC 9.4.0 - Fortinet Documentation 2: Device 
profiling process | FortiNAC 8.3.0 | Fortinet Document Library 3: Using FortiNAC to 
identify medical devices - James Pratt 4: How does FortiNAC identify a new device on 
the network? 


8. What happens when FortiClient EMS is configured as an MDM connector on 
FortiNAC? 
A. FortiNAC sends the host data to FortiClient EMS to update its host database 
B. FortiClient EMS verifies with FortiNAC that the device is registered 
C. FortiNAC polls FortiClient EMS periodically to update already Ej di hosts in 
FortiNAC 
D. FortiNAC checks for device vulnerabilities and compliance wit oriClien 
Answer: C d 
Explanation: Sd 
When FortiClient EMS is configured as an MDM conne oF on FortiNAC, it allows 
FortiNAC to obtain host information from FortiClient EMS and use it for network 
access control. FortiNAC polls FortiClient EMS perisdically (every 5 minutes by 
default) to update already registered hosts in ForfiNAC. This ensures that FortiNAC 
has the latest host data from FortiClient EMS Such as device type, OS, IP address, 
MAC address, hostname, and FortiClient t yérsion. FortiNAC can also use FortiClient 
EMS as an authentication source for devices that have FortiClient installed. FortiNAC 
does not send any data to FortiCliensEMS or check for device vulnerabilities and 
compliance with FortiClient123. d 
Reference: = 1: MDM Service Gonnectors | FortiClient EMS Integration 2: FortiClient 
EMS Device Integration|ForiNAC 9.4.0 - Fortinet Documentation 3: Technical Tip: 
Integration with FortiCligat EMS 
ep 

Fa 
9.Which two types ‘of configuration can you associate with a user/host profile on 
FortiNAC? (Chose two.) 
A. Service Connectors 
B. Network Access 
C. Inventory 
D. Endpoint compliance 
Answer: B D 
Explanation: 
User/host profiles are used to map sets of hosts and users to different types of 
policies or rules on FortiNAC. Among the options given, network access and endpoint 
compliance are the two types of configuration that can be associated with a user/host 
profile. Network access configuration determines the VLAN, CLI configuration or VPN 


group that is assigned to a host or user based on their profile. Endpoint compliance 
configuration defines the policies that check the host or user for compliance status, 
such as antivirus, firewall, patch level, etc. Service connectors and inventory are not 
types of configuration, but features of FortiNAC that allow integration with other 
services and devices, and collection of host and user data, respectively. 

Reference: = User/host profiles | FortiNAC 9.4.0 - Fortinet Documentation and 
User/host profiles | FortiNAC 9.4.0 - Fortinet Documentation 
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